Page History

The deployer role refers to the individual or organization responsible for the fielded systems that use or otherwise depend on products with vulnerabilities.

Deployers include the following:

...

• Become aware of vulnerability, mitigation, and/or fix.
• Prioritize the mitigation or fix into existing workload (triage).
• Test the mitigation or fix.
• Confirm that the fix addresses the problem.
• Avoid undesirable side effects.
• Identify affected systems and plan the deployment:
  • staged or all-at-once
  • automated or manual
  • scheduled update window or out-of-band
• Deploy the mitigation or fix to affected systems.

We cover each of these in more detail below.

...

Deployers should be on the lookout for and pay attention to:

• vendor Vendor security notices
• vendor Vendor customer support notices (not all vendors provide separate security notices, nor are all vulnerabilities always explicitly called out in update notes)
• vulnerability Vulnerability and threat intelligence services
• security Security discussions online including social media
• mass Mass media coverage of vulnerabilities

...

• The system's availability and performance are critical.
• Reverting a patch deployment gone bad is difficult.

In environments with efficient automated deployment and rollback capabilities, it may not be as necessary to test as heavily. But that's often an ideal scenario that few deployers find themselves in. Staged deployments or rollouts can be a significant help here—where some portion of the affected systems are updated to confirm the fix prior to wider rollout—allowing deployers to balance patch deployment with the risk of negative side effects.

...

Obviously, it is important to actually carry out the deployment of the mitigation or fix. Automated patch deployment tools can make this process quite efficient. Regardless of the degree of automation of patch deployment, recurring or continuous monitoring for vulnerabilities can help measure the success of the deployment effort.